Anonymous opponent heads for the hills—or maybe for another Twitter account.

The vigilante hacker who made a name for himself harassing Anonymous, disrupting WikiLeaks, and stalking “jihadist” sites is apparently laying low after threats to expose his real identity were made via Twitter on May 11. The person claiming to have details of The Jester’s identity plans to publish that information—after he passes the hat for Bitcoins first, allegedly in part to raise funds for WikiLeaks.

On May 14, The Jester's Twitter account was deleted. Later that day, another one sprung up with posts claiming to be The Jester—and announcing DoS attacks on some of his favorite targets.

It’s not clear if any of this is legitimate—whether it involves someone who has dirt on The Jester, someone who managed to hack The Jester’s Twitter account, or whether it is yet another master troll by The Jester himself (or by one of the many people who would like him to go hide for a while.)

Plenty of people would like to see The Jester, who has in the past claimed to be “an ex-soldier with a rather famous unit,” taken down a peg. He has a long history of going after people seen as being on the wrong side of an issue, and he has angered former colleagues with his alleged credit-stealing, ego-tripping, and general grandstanding. A group of former operators from The Jester’s IRC channel on 2600, who now make up the group ReaperSec, are particularly disillusioned with what they see as The Jester's constant self-promotion, and with the whole “patriotic hacker” mythology.

While he has demonstrated the ability to DoS sites in the name of patriotic duty, some have called his actual technical skills into doubt. Just where skill ends and showmanship begins remains up for debate. But here's what we do know.

Patriot games

As Donald Rumsfeld would say, let’s start with the "known knowns" and the "known unknowns." Starting in early 2010, The Jester (or "th3j35t3r") began attacking “jihadist” websites—the “official” site of the Taliban, alemarah.info, being a frequent early target before it was shut down. He also used some social engineering to make it look like he had done more—for example, he used faked shortened links to make it look as if he had planted faked articles into the website of the Malta Independent Online and Tripoli Post.

In the US, he has attacked religious extremists of another ilk—DDoSing the website of Westboro Baptist Church (godhatesfags.com) in response to their picketing the funerals of US servicemen killed in Iraq and Afghanistan. Westboro’s site has been under frequent attack by The Jester over the last two years.

Then came WikiLeaks. In November 2010, The Jester claimed responsibility for the attack that briefly cut off access to the WikiLeaks website, just as the site was preparing to publish a digital trove of US embassy cables allegedly revealed by Bradley Manning. The Jester claimed to have staged the attack using his own attack tool, which he called XerXes. According to an analysis by US Army Major TJ O’Connor and published by SANS Institute, the XerXes tool, based on SlowLoris and RUDY (“R-U-Dead-Yet”) attacks, could cycle through a set of TOR network connections to launch its attacks—making it a quasi-distributed denial of service attack. The tool also could automatically post the results of an attack to Twitter.

A video of The Jester's XerXes DoS tool in action

The DDoS attack generated 10 gigabits per second of traffic against WikiLeaks’ Swedish servers—forcing the organization to move its services to Amazon’s cloud. (Amazon later booted WikiLeaks, claiming it had violated the terms of service.) But it’s not clear that XerXes’ “slow” attacks were what was used in the DDoS, or whether others were involved as well.

Last year, The Jester upgraded his attack tools as he continued to take on militant sites—using tools he calls Saladin and Leonidis. In a recent post to his blog (since removed, but pasted here), The Jester promised “full disclosure” on Saladin, but with “Leonidis [sic] not so much.” He has used these tools to continuously take down Islamic militant and other sites since last November.

For his Lulz only

Anonymous and LulzSec sit in a special place of (dis)honor in the darkest parts of The Jester’s heart, and the feeling is mutual. Perhaps it was Anonymous’ support of WikiLeaks that triggered The Jester’s animosity. But regardless of who talked the first trash, The Jester became engaged in hostile activities against Anonymous almost before the WikiLeaks attack had cooled off, targeting Anonymous’ IRC servers.

After that, The Jester claimed to have gone after Anonymous’ own attack tools. In December 2010, he claims to have altered Anonymous’ Low Orbit Ion Cannon (LOIC) DDoS tool. He advertised the patched tool to Anons as one that could make “your DDOS attacks up to 70x as effective. By combining IP and MAC source address spoofing, and trackers over TOR, anonymity is guaranteed.” In reality, he added a backdoor that broadcast in the clear the IP addresses of systems using the tool—and tailored the code to avoid detection by anti-virus utilities. Then he posted a blog informing Anonymous that their tool had been corrupted.

The story has a few gaps in it; for one, the LOIC tool never included any anonymization. Members of ReaperSec claim The Jester really just made the claims and got a friend to support them. So the whole story of the LOIC hack could be another case of "Jester Psychological Operations Theater."

Since then, Anonymous members and The Jester have continuously tried to find ways to “dox” each other, exposing identities. Anons have fingered a numberof people as allegedly being The Jester, while he has engaged in some attempted exposé of his own.

Last June, The Jester tried to expose the LulzSec hacker Hector Xavier “Sabu” Monsegur, identifying him as “Xavier de Leon”—and getting Monsegur’s location (New York City) correct. He also identified e-mails and websites associated with Monsegur based on the IP address he left exposed in chat. But Backtrace Security had already successfully doxed Sabu, and the FBI used similar information to uncover Monsegur’s identity (to somewhat greater effect; they turned Monsegur into an informant).

Followers of The Jester have gotten in on the act, especially during sometime-Anon-spokesperson Barrett Brown’s involvement with OpCartel, the Anonymous efforts against the Mexican drug cartel the Zetas. After Brown accused a North Carolina district attorney of being connected with the Zetas, Brown's former address and phone numbers were “doxed. ” Brown accused Robin Jackson, a Helena, Montana computer forensics consultant, of “promoting addresses of innocents for #Zetas” and labeling him ex-military, a “fascist” (in a post later deleted), and—most damning of all—“friends w/@th3j35t3r.” (Previously, some Anons had accused Jackson of actually being The Jester.)

In March, The Jester tried to exploit all his enemies at once with bait placed on his Twitter feed: a QR code that he claimed exploited a weakness in the WebKit mobile browser framework to collect Twitter credentials and other information from people on an “enemies list." The list included the Twitter accounts of members of Anonymous (including Barrett Brown), WikiLeaks, and Rhode Island Rep. Dan Gordon—who The Jester felt had made comments supportive of WikiLeaks. Once again, though, there's debate about whether this hack actually did anything other than create more uncertainty.

The enemy of my enemy

On May 10, someone set up a Twitter account, @cubespherical, under the name “Smedley Manning”—an allusion to presumed WikiLeaks leaker Bradley Manning. Through that account, the person started trying to get The Jester’s attention, requesting direct messages. About the same time, The Jester was posting to his blog, alluding to a big reveal on his Saladin tool. But he also alluded to potential trouble:

‘The worst enemy a person can acquire, is the enemy he once considered a friend.’ – Me – 2012

additionally….. and in complete back to back contradiction as we all know… I never double dip my quotes.

‘The enemy of my enemy is my friend’ – Unknown.

So the usual suspects… the boys at reapersec (lowercase intentional) are co-ordinating and finding themselves allies. Its funny because I was informed of an organized attempt to discredit me that would require a prescribed reaction from me over 18 hours ago.

So, like Babe Ruth pointing to the fence, The Jester appears to have pointed out the members of ReaperSec as the source for the doxing. On May 13, “Smedley Manning” publicly tweeted again, asking to talk in direct messages, posting The Jester’s alleged initials (RCD), wishing him a “Happy Birthday for next week,” and dropping other hints of personal knowledge. Those included allusions to a physical altercation in the past: “10 words for you. Dallas Cowboys. Scruffy Murphys GA, Shiner, Ft Benning, 2003. You.”

Later, “Smedley” posted screen shots of an alleged direct message conversation between him and The Jester, in which he told The Jester what he had on him. The conversation shows him telling The Jester that Smedley knows his name (blacked out), what unit he was with at Fort Benning (apparently the 75th Ranger Regiment), and the fact that he had moved on to a position at the Special Operations Command (SOCOM). And Smedley said that he would be dropping all The Jester’s personal information—including his résumé—once he had raised 20,000 BitCoins—partly to donate to WikiLeaks and partly for himself (“I am soon done here, and need a little settlement”).

But some of the details posted by @cubespherical were a bit off. He posted a link to a photo he claimed came off of The Jester’s personal Facebook profile; that photo, as an image search showed, wasn’t from Facebook but from a Georgia used car dealer’s website.

On the morning of May 14, The Jester’s Twitter account was deleted and the contents of his blog disappeared. But that evening, a new Twitter account, @th3j35tr, popped up claiming to be The Jester. Some familiar with him say it’s not him. Some, including Barrett Brown, believe “Smedley” is The Jester himself or another associate. Whoever is behind “Smedley” claims the new account is just a friend of The Jester’s trying to save face, while the “new” Jester congratulated @cubespherical on hacking his Twitter account and then announced, “The rumors of my death have been greatly exaggerated."

The new Jester account then announced that The Jester was bringing down WikiLeaks.org and Westboro Baptist Church’s sites. Again. If “he” is really him... but that’s a known unknown.

The comments aimed at reapersec were directed toward an article discrediting Jester's claims regarding his "Saladin" tool. One of their researchers proved that many sites he claimed to have hit with it were expired domains, old redirects, and hacks attributed to other groups.

The attempted "dox" included an obviously fake image, and a ridiculously flattering CV, and gave no clue how a random guy from a year-old bar fight not only knew Jester was this guy, but also knew who all the players have been in these dramas over the last year. (Check his follows)

And this guy, he *just* happens to be a supporter of Wikileaks, and a bitcoin user. And th3j35t3r reacts like there's a gun to his head, deletes everything without explanation from himself or his friends?

Not only this, but he Assumes people want Jester's ID enough to fund him to the tune of 100K, but never asks Jester for money.

So now Jester can plausibly exit without explaining the fraud, but Smedley never has to actually deliver any info...too convenient.

1 post | registered May 15, 2012

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

So is this guy now calling his mom's basement the "Fortress of Solitude"? Did ha always get picked last in a game of kickball? Sounds like someone needs to go play outside for a while and grow up a bit.

How is any of this news? Or interesting for people for that matter? This is on the level of reporting on 5th graders saying Becky said that Jane was dressing like a slut and did you see how she was talking to Becky's boyfriend in lunch the other day....

Does any of this endear either side to anyone? It just seems completely unecessary and childish. My take on it is that if any of these "hactivist" groups want to be taken seriously, they need to disassociate themselves from this petulance.

Plenty of people would like to see The Jester, who has in the past claimed to be “an ex-soldier with a rather famous unit,” taken down a peg. He has a long history of going after people seen as being on the wrong side of an issue, and he has angered former colleagues with his alleged credit-stealing, ego-tripping, and general grandstanding. A group of former operators from The Jester’s IRC channel on 2600, who now make up the group ReaperSec, are particularly disillusioned with what they see as The Jester's constant self-promotion, and with the whole “patriotic hacker” mythology."

While he has demonstrated the ability to DoS sites in the name of patriotic duty, some have called his actual technical skills into doubt. Just where skill ends and showmanship begins remains up for debate. But here's what we do know.

Is the video not showing up for anyone else, or just me? IE9 on Win7x64 if that matters.

Works fine with Firefox on Win7x64. When was your flash player last updated?

Flash is completely up to date. So it's either a "this wasn't tested with Internet Explorer 9" thing, or if the content is on some other domain it could possibly be filtered. If past experience is any indicator, it's probably the former rather than the latter.

Is the video not showing up for anyone else, or just me? IE9 on Win7x64 if that matters.

Works fine with Firefox on Win7x64. When was your flash player last updated?

Flash is completely up to date. So it's either a "this wasn't tested with Internet Explorer 9" thing, or if the content is on some other domain it could possibly be filtered. If past experience is any indicator, it's probably the former rather than the latter.

The comments aimed at reapersec were directed toward an article discrediting Jester's claims regarding his "Saladin" tool. One of their researchers proved that many sites he claimed to have hit with it were expired domains, old redirects, and hacks attributed to other groups.

The attempted "dox" included an obviously fake image, and a ridiculously flattering CV, and gave no clue how a random guy from a year-old bar fight not only knew Jester was this guy, but also knew who all the players have been in these dramas over the last year. (Check his follows)

And this guy, he *just* happens to be a supporter of Wikileaks, and a bitcoin user. And th3j35t3r reacts like there's a gun to his head, deletes everything without explanation from himself or his friends?

Not only this, but he Assumes people want Jester's ID enough to fund him to the tune of 100K, but never asks Jester for money.

So now Jester can plausibly exit without explaining the fraud, but Smedley never has to actually deliver any info...too convenient.

Is the video not showing up for anyone else, or just me? IE9 on Win7x64 if that matters.

Works fine with Firefox on Win7x64. When was your flash player last updated?

Flash is completely up to date. So it's either a "this wasn't tested with Internet Explorer 9" thing, or if the content is on some other domain it could possibly be filtered. If past experience is any indicator, it's probably the former rather than the latter.

The video works fine here with IE 9 and Win 7

Strange, I don't know what the issue is, then. It's not being filtered because it works with Firefox on another system.

Couldn't get it to load in on the page, but did in a new tab. Using Chrome vers. 18.0.1025.165m & 19.0.1084.46m. IE 8 played it fine and FF 12 had the same issue at Chrome. All plug ins(Flash, JAVA) are current.

I find it interesting to watch these "masked" people slug it out in private yet out on the open, it's my new form of entertainment for the time being.

My position is this: he's claimed to have done a lot of things, a good many that he has actually done. Some of them were more effective as performance art. But he is a master of the troll, and some of the things he's claimed don't hold up under scrutiny—just like the person claiming that they'll give up his ID as soon as they hit the goal on their pledge drive.

I am skeptical of all sides in this, regardless of their alleged politics.

The comments aimed at reapersec were directed toward an article discrediting Jester's claims regarding his "Saladin" tool. One of their researchers proved that many sites he claimed to have hit with it were expired domains, old redirects, and hacks attributed to other groups.

The attempted "dox" included an obviously fake image, and a ridiculously flattering CV, and gave no clue how a random guy from a year-old bar fight not only knew Jester was this guy, but also knew who all the players have been in these dramas over the last year. (Check his follows)

And this guy, he *just* happens to be a supporter of Wikileaks, and a bitcoin user. And th3j35t3r reacts like there's a gun to his head, deletes everything without explanation from himself or his friends?

Not only this, but he Assumes people want Jester's ID enough to fund him to the tune of 100K, but never asks Jester for money.

So now Jester can plausibly exit without explaining the fraud, but Smedley never has to actually deliver any info...too convenient.

Glad this was picked by the editors, it seems a very probable result. I agree with some of what The Jester has done, but by the same token I agree with some of what Anonymous has done. But other things I strongly disagree with. On balance, I am having difficulty seeing these as forces for good..

Whatever "tricks" the Jester wants to play are irrelevant as long as the curiosity that killed the cat does not lure the gullible into contributing Bit Coins to him. A more important error in your reporting: Dan Gordon is not a "Congressman" in Rhode Island. He represents District 71 in the lower State House of Representatives, one of 75 state house members. The total population of District 71 is a mere 13,888, which exceeds its voting population, and he has been mired in scandal virtually from the beginning of his term in January, 2011. He was expelled within months of his election for abusive conduct toward his colleagues by the Republican minority caucus in the lower state house, which consists of all of 10 members, as opposed to to the Democrats' 65 members, and was stripped of all access to GOP resources within the state house. Later, he was arrested and discovered to be a fugitive from justice in Massachusetts, where he has a lengthy criminal record who has served time for numerous instances of assault and battery, including against women, as well as evading police. He blamed his problems on alcoholism developed as a result of PTSD from having served and been wounded in Iraq as a member of the United States Marine Corp. However, the Marines have no record that he ever served in Iraq, or anywhere overseas, nor do they have any record that he was ever wounded. If the Jester harasses him, few will shed any tears.

I can think of a number of reasons why it would be appropriately ironic (form his POV) but it probably is most likely due to the fact that he is not so much of an Islamaphobe as he is anti-jihadist and pro-military.

I can think of a number of reasons why it would be appropriately ironic (form his POV) but it probably is most likely due to the fact that he is not so much of an Islamaphobe as he is anti-jihadist and pro-military.

Thats what I was thinking. Saladin was well respected in the west, even by his opponents.

Hah, I was just commenting to write this as well. That was certainly and interesting choice of name to be attacking Islamist websites with.

In truth, this whole thing just sounds like a bunch of teenagers yelling "my dick is bigger than yours!" at each other. I'll admit though, it's pretty amusing, and I've certainly enjoyed following the drama as it unfolds. Keep up the good work.

I have to question his activism when he seemed to take aim at arbitrary targets, without any explanation as to why. He would label sites as "Jihadist" when they seemed orthodox rather than radical, when I did my own investigation of the sites contents.

The end result was that these sites and its users saw the attack as coming from anti-Muslm bigots.

It's quite likely that he didn't have the necessary skills to identify such sites in Arabic or Urdu (two of the most common languages among the international Muslim population) and targeted completely innocent sites for the sake of appearing to do something.

Seemed to me he was working from a list. I never paid close attention until recently, because one of the sites I knew to belong to a moderate scholar who wasn't well liked by radicals. Quite a few seemed awfully normal.

So, the jester set up another twitter account and wants you to give him money to reveal himself, that won't actually be himself, but he'll direct you to the left and cash his pot...I'm sorry Bitcoins out on the right.